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1.  The  Merkl e-Heilman  Knapsack  Systems. 


In  this  section  we  briefly  outline  the  Merkl e-Hell man  cryptographic 

system.  A fuller  description  can  be  found  in  [1]. 

A knapsack  system  is  a vector  of  n natural  numbers  (a^  ,...,an).  It 

represents  a collection  of  knapsack  problems  (or  instances)  of  the 

following  type:  given  an  integer  S,  find  a 0-1  valued  vector  (x^,...,xn) 
n 

such  that  S = (if  one  exists).  Knapsack  problems  are  known  to  be 

NP-complete  ([2]),  and  thus  they  serve  as  an  attractive  source  for  crypto- 
graphic functions. 

One  way  of  using  knapsack  systems  in  public-key  cryptography  (see  [3] 

for  definitions)  Is  to  let  each  network  member  publish  his  knapsack  system 

(a^,...,an)  in  a publicly  available  network  directory.  Anyone  wishing  to 

send  an  n-bit  message  X = (xj,...,x  ) to  a network  member  uses  the  latter's 

n 

known  knapsack  system  in  order  to  calculate  the  sum  S = ^ xiai»  an<*  t0 
send  it  over  the  (insecure)  communication  channel.  An  eavesdropper  who 
gets  hold  of  S and  who  tries  to  recover  X from  S is  faced  with  the  apparently 
impossible  task  of  solving  the  corresponding  knapsack  problem. 

In  order  to  enable  the  intended  receiver  of  S to  solve  this  knapsack 
problem,  some  hidden  structure  must  be  embedded  in  the  knapsack  system 
(a^,...,an).  This  structure  should  be  hard  to  find  (l.e.,  the  knapsack 
system  should  look  like  an  n-tuple  of  random  numbers  to  the  uninformed 
observer),  but  It  should  enable  those  who  know  it  to  decode  encrypted 
messages  quickly  by  a shortcut  method. 

The  knapsack  systems  Merkl e and  Heilman  use  are  based  on  superincreaslng 
sequences.  A vector  (aj,...,a^)  of  natural  numbers  is  a superincreaslng 
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sequence  if  for  each  1 £ i i n,  a!  > ^ aj.  A simple  example  of  a super- 

increasing  sequence  is  (1 ,2,4,8, ... ,2n)  in  which  each  number  equals  the 

sum  of  its  predecessors  plus  one.  Considered  as  a knapsack  system,  there 

is  an  easy  algorithm  for  solving  all  the  instances  of  a superincreasing 

sequence  by  successive  subtractions  —see  [1]  for  details. 

The  numbers  a!  cannot  be  published  in  the  public  directory,  since 

their  obvious  structure  enables  any  eavesdropper  to  decode  encrypted 

messages  S.  To  hide  this  structure,  Merkle  and  Heilman  suggest  using  a 

n 

modulus  m and  a multiplier  w,  such  that  m > ^ aj  and  gcd  (w,m)  * 1 
(this  insures  the  existence  of  a multiplicative  inverse  w"^  of  w modulo  m). 
Instead  of  publishing  aj,  the  network  member  publishes  the  numbers  a^ , 
where  for  each  1 < i < m 

ai  = aj*w  (mod  m)  . 

The  network  member,  who  knows  the  unpublished  numbers  m and  w he  used, 

n 

can  quickly  transform  any  instance  S = ^ x^  of  the  apparently  difficult 
knapsack  system  (a^,...,an)  to  an  instance  S*w_1  = ^ x^j  (mod  m)  of  the 
easily  solvable  knapsack  system  (aj,...,a^),  and  thus  decode  S into  X.  To 
use  this  efficient  method,  a cryptanalyst  must  determine  m and  w from  the 
published  numbers  (aj,...,a  );  the  difficulty  of  this  problem  is  studied 
in  the  next  section. 

In  their  paper,  Merkle  and  Heilman  recommend  the  following  specific 
parameters  for  their  knapsack  systems: 

(i)  n * 100  (knapsack  systems  with  one  hundred  elements). 

(ii)  Each  aj  is  randomly  chosen  from  a uniform  distribution  over  the 
Interval  [(21-1  - 1 )»2]0°  + 1,2M*2100]  (it  Is  a 99+1  bit 

natural  number). 
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(iii)  The  modulus  m is  chosen  uniformly  from  the  interval  [2201  + 1 ,2202  - 1] 
(thus  making  all  the  a.  pseudo-random  202-bit  natural  numbers). 

(iv)  The  multiplier  w is  chosen  uniformly  from  the  interval  [2,m-2]  and 
then  divided  by  its  gcd  with  m. 


2.  The  Cryptanalytic  Attack. 


The  starting  point  for  our  cryptanalytic  attack  was  the  following 

challenge  in  Merkle  and  Heilman's  paper: 

"Attempts  to  break  the  system  can  start  with  simplified  problems 
(e.g.,  assuming  m is  known).  If  even  the  most  favored  of  certlfi- 
cational  attacks  Is  unsuccessful,  then  there  is  a margin  of  safety 
against  cleverer,  wealthier,  or  luckier  opponents.  Or,  if  the 
favored  attack  is  successful,  it  helps  to  establish  where  the 
security  really  must  reside.  For  example,  if  knowledge  of  m allows 
solution,  then  an  opponent's  uncertainty  about  m must  be  large." 

In  this  section  we  show  that  the  knowledge  of  m makes  any  standard- 
parameter  Merkle-Hel lman  knapsack  system  highly  vulnerable  to  cryptanalysis. 

The  key  idea  is  that  the  first  two  numbers  a^  and  a£  in  the  unknown 
super increasing  sequence  are  much  smaller  than  the  modulus  m (for  the 
recommended  parameters,  aj , a£  and  m are  100,  101  and  202  bits  long,  respec- 
tively). We  assume  that  in  the  list  of  published  numbers  a,,...,an  the 
cryptanalyst  can  identify  the  two  numbers  a^  and  a-,  which  correspond  to 
aj  and  a £ (If  these  numbers  are  published  in  a shuffled  order,  the  crypt- 
analyst can  repeat  the  following  procedure  for  each  one  of  the  100*99 
possible  pairs  of  published  numbers,  and  still  break  the  system  In  reason- 
able time).  Since  m Is  known,  we  can  calculate  the  quotient  q: 

!i 

a2 


q 


(mod  m)  . 
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But  ai  = aj-w  (mod  m)  and  thus 


q 


aj  -w 
a£-w 


1 

— r (mod  m) 
a2 


or 


a]  = ag-q  (mod  m). 


Consider  now  the  set  of  all  the  modular  multiples  of  q for  multipliers  in 
the  range  [1 ,2^]: 

(l*q(mod  m),2*q(mod  m),  ...  , 210^*q(mod  m) } . 

Since  a£  5 2^01,  a£-q  (mod  m)  (which  is  equal  to  aj ) is  in  this  set.  All 
these  2101  multiples  are  very  evenly  distributed  in  the  interval  [0,m-l], 
and  thus  the  smallest  number  among  them  is  likely  to  be  around  m/2^  % 

2202^101  _ 2^^ . But  aj  is  known  to  be  smaller  than  or  equal  to  210t>,  and 
thus  aj  itself  is  likely  to  be  the  smallest  number  in  this  set.  Consequently 
all  we  need  in  order  to  find  (a  candidate  for)  aj  is  to  find  the  minimum 
value  of  j*q  (mod  m)  when  j ranges  over  the  interval  [1,2^01]  and  q,m 
are  known.  Efficient  methods  for  solving  this  number-theoretic  problem 
(using  the  continued  fraction  approximation  of  the  ratio  q/m)  can  be  found 
in  [4]  and  [5]. 

Once  a candidate  value  for  aj  is  found,  w can  be  calculated  as 
a-j /a-J  (mod  m)  and  then  the  whole  sequence  a!  can  be  generated  from  m,  w 
and  the  published  numbers  a^.  If  the  candidate  value  for  aj  is  the  correct 
one,  the  calculated  sequence  aj  would  turn  out  to  be  superincreasing,  thus 
verifying  the  candidate  and  giving  a quick  way  of  solving  Instances  of  the 
published  knapsack  system. 

It  is  easy  to  see  that  for  other  choices  of  the  parameters,  this 
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cryptanalytic  attack  has  a good  probability  of  success  only  as  long  as  I 

: 

al-a^  is  not  much  larger  than  m.  The  network  member  can  of  course  use  i 

Merkle-Hellman  knapsack  systems  in  which  this  condition  does  not  hold. 

There  are  two  reasons  why  such  a simple  solution  might  not  be  adequate: 
n 

(i)  If  m > a.!  and  a^  is  superincreasing,  then  a simple  calculation 

shows  that  m > 2r,aj  and  m >_  2n_1  ^a^,  and  thus  aj^  1 m2/22n-1 . 

To  make  aj^a^  much  bigger  than  m in  a hundred  element  knapsack 
system  (which  is  the  minimum  secure  value),  m must  have  considerably 
more  than  200  bits.  This  slows  down  the  computations  and  worsens 
the  ratio  between  the  number  of  bits  in  encrypted  and  original 
messages. 

(ii)  Our  cryptanalytic  method  uses  only  the  two  smallest  numbers  in  the 

superincreasing  sequence  aj.  If  three  or  more  elements  are  considered 
simultaneously,  the  condition  aj^  < m can  be  weakened  considerably. 

Although  we  do  not  know  how  to  do  it  at  present,  it  seems  dangerous 
to  assume  that  such  an  extension  is  impossible. 

3.  Safer  Variants  of  the  Merkle-Hellman  Knapsack  Systems. 

After  defining  their  basic  knapsack  systems,  Merkle  and  Heilman  note 

that  a safer  knapsack  system  can  be  obtained  by  iterating  the  modular 

multiplications  technique  a number  of  times.  At  each  iteration  a new 
n 

modulus  nij  (nij  > a^)  and  a new  multiplier  Wj  (gcd(wj .m^)  * 1)  are 

chosen,  and  all  the  knapsack  elements  a^  are  replaced  by  a^*Wj  (mod  m^). 

The  decoding  of  encrypted  messages  is  done  by  successively  dividing  them 
by  the  Wj  (mod  nij)  in  the  reverse  order,  thus  unwinding  the  iterations 
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all  the  way  back  to  the  original  superincreasing  sequence. 

When  two  or  more  iterations  are  used  in  order  to  obscure  the  structure 
of  the  superincreasing  sequence,  our  cryptanalytic  attack  becomes  in- 
effective (even  when  all  the  modulus  m . and  all  but  the  last  w.  are  known). 

J J 

The  reason  is  that  when  we  attempt  to  strip  the  last  w.  from  the  knapsack 

J 

elements  by  dividing  pairs  of  the  published  numbers  modulo  the  last  m., 

Kj 

we  are  left  with  large,  random  looking  numbers  (the  results  of  the  last 
but  one  iteration)  to  which  the  minimization  technique  cannot  be  applied. 

In  their  paper,  Merkle  and  Heilman  express  the  belief  that  knapsack  systems 
obtained  by  two  iterations  are  strictly  more  secure  than  their  simple, 
single  iteration  knapsack  systems.  Our  method  is  an  explicit  cryptanalytic 
example  which  substantiates  Merkle  and  Heilman's  intuitive  feeling. 

Another  way  of  eliminating  the  potential  weakness  represented  by 
extremely  small  knapsack  elements  has  been  suggested  (independently)  by 
Graham  and  Shamir.  The  idea  is  to  use  structured  numbers,  whose  low-order 
parts  are  a superincreasing  sequence  and  whose  high-order  parts  are  strings 
of  random  bits: 


aj  = 0 ....  0 

aA  = 0 ...  0 

• 

(random)  • •'  (superincreasing 

. . . sequence) 

a;  - 0 

high-order  part  low-order  part 


I 
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Due  to  the  existence  of  the  high-order  "noise",  none  of  these  numbers  is 
b likely  to  be  small,  but  when  some  of  them  are  added  together,  the  sum 

can  still  be  decoded  by  disregarding  its  high-order  part  and  analyzing  its 
low-order  part  in  the  usual  way. 

A particularly  simple  knapsack  system  is  obtained  when  the  low-order 
part  is  decomposed  further  in  the  following  way: 

0 

0 

(random) 

0 

The  block  of  zeros  between  the  low-order  random  bits  and  the  diagonal 
matrix  is  log2n  bits  wide.  Its  purpose  is  to  serve  as  a buffer  zone,  so 
that  even  when  all  the  n numbers  a^  are  added  together,  the  sum  of  the 
low  order  bits  does  not  overflow  into  the  region  of  the  diagonal  matrix. 

To  obscure  this  structure,  we  use  k > 1 iterations  of  Merkle  and  Heilman's 
modular  multiplications  technique.  Encrypted  messages  are  now  very  easy 
to  decode:  once  we  unwind  the  iterations  back  to  the  a.!  knapsack  system, 
the  decoded  message  can  be  read  off  an  intermediate  interval  of  bits  in  the 
(augmented)  encoded  message,  without  any  further  computations.  This  variant 
of  Merkle  and  Heilman's  scheme  seems  to  be  safer,  faster  and  simpler  to 
implement  than  the  original  variant  recommended  in  [1]. 


aj  = 0 1 o 

a£  = 0 0 10  0 

• • 

(random)  , 

a ' = 10  0 o 
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